June 20, 2017

There has never been any meaningful distinction between CyberSecurity and HIPAA Security from a technical perspective; however from a legal perspective each regulatory regime must be treated as a unique and distinctive set of regulations. The WannaCry attack made the technical argument painfully obvious and became a "clarion call." The obliterated technical distinction has forced the healthcare industry to wake up to the fact that CyberSecurity, as represented by the HIPAA Security Rule, is no longer "simply a compliance issue" related to big brother's oversight of the industry, but rather a critical part of doing business in the 21st century!

Upon close inspection, the HIPAA Security Rule is nothing more than CyberSecurity 101, a floor from which the healthcare industry must build to establish a "culture of compliance" (i.e. something that HHS has been demanding for quite some time now). For many years and until fairly recently, HIPAA was viewed solely as a regulatory regime that was pertinent to the healthcare industry and almost no one else. However, upon close inspection, the HIPAA Security Rule clearly demonstrates that the security controls it mandates (i.e. referred to as "implementation specifications" in the Rule) are in fact Cybersecurity 101, a "floor" that the healthcare industry (and needless to say other industries as well) should treat as "foundational," necessary perhaps for compliance but not sufficient to actually get the job done.

In recent guidance (See p.2 of the guidance) HHS has expressly stated that the HIPAA Security Rule should be considered nothing more than a floor. Having a strong foundation (i.e. "floor") is an important first step from which your compliance edifice must be built, but it's clearly not entirety of what needs to be built. Therefore, we believe, that HHS is going to become increasingly less tolerant of those organizations that cannot see their way clear to establishing the mandatory floor.

WannaCry was a game changer. If you read between the lines of HHS' guidance subsequent to that event, it's clear that we have collectively "crossed the Rubicon."

This is DEFINITELY not your Daddy's HIPAA anymore!

Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.

June 14, 2017

That question is so broad that it can only be answered succinctly in the abstract. However for our purpose such a definition should work just fine. One such definition follows: "Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security."

Although the previous definition certainly works, we prefer our own: "CyberSecurity is a set of processes by which an organization identifies and implements security controls to prevent corruption (impedance to the integrity, availability and confidentiality of security objects e.g. devices, networks, applications, databases, workforce, etc.) and thereby safeguards its computing resources."

Assuming that for the sake of argument you accept our "security controls" based definition of CyberSecurity then the Center for Internet Security's ("CIS") "top 20 security controls" offers us a good view as to what a CyberSecurity "floor" might look like and thereby provides us a baseline reference point to compare how the HIPAA Security Rule stacks up against it. This spreadsheet compares the CIS top 20 and the Security Rule's implementation specifications to demonstrate the technical overlap between the two.

Although the Security Rule's controls are defined more broadly, they clearly "swallow" the CIS top 20. That's why HHS recently issued guidance (See p. 2) that the Security Rule should be considered nothing more that a cybersecurity floor; necessary but not sufficient to actually do the job of protecting your PHI from the "bad guys."

FREE Webinar!

Description:

This webinar will summarize the lessons learned by the healthcare industry from WannaCry & perform a postmortem on WannaCry's impact.

Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf

June 12, 2017

The answer to this question contains two related but ultimately separate and distinct parts: (1) a set of security controls not all that dissimilar from the CIS top 20; and (2) a coherent regulatory regime that is a set of regulations unique unto itself. To ignore the latter is to make a legal mistake that could lead to significant liability. That is why, in our view, reliance on "mapping mechanisms" such as HITRUST and ISO 27001 alone is potentially dangerous legally.

No HHS auditor or court of law focusing on a HIPAA legal question is going to ask you whether or not you are in compliance with a section of HITRUST or ISO 27001. Although covered entities and business associates may use the latter as some sort of affirmative defense with respect to HIPAA compliance, the questions that HHS or a court are going to ask will reference specific sections of the HIPAA Rules. For example, the question won't be whether you conducted a Risk Assessment but whether you complied with Section 164-308(1)(ii)(a) "Risk Analysis (Required)."

At best your sole reliance on HITRUST or ISO 27001 (or any similar mapping mechanism) is likely going to make your defense harder, and therefore more expensive. At worst, relying on those mapping mechanisms could provide your organization a false sense of compliance that could lead to a finding of willful neglect.

FREE Webinar!

Description:

This webinar will summarize the lessons learned by the healthcare industry from WannaCry & perform a postmortem on WannaCry's impact.

Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf

June 11, 2017

This article answers that question in the affirmative. Larger and larger data breaches are now an undeniable trend, which the available data clearly supports. The $$ quote form this article is:

Before 2009, the majority of data breaches were the fault of human errors like misplaced hard drives and stolen laptops, or the efforts of “inside men” looking to make a profit by selling data to the highest bidder. Since then, the volume of malicious hacking (shown in purple) has exploded relative to other forms of data loss. Increasingly sophisticated hacking has altered the scale of data loss by orders of magnitude. For example, an “inside job” breach at data broker Court Ventures was once one of the world’s largest single losses of records at 200 million. However, it was eclipsed in size shortly thereafter by malicious hacks at Yahoo in 2013 and 2014 that compromised over 1.5 billion records, and now larger hacks are increasingly becoming the norm.

This data visualization comes to us from Information is Beautiful. Go to their site to see the highly-recommended interactive format that visualizes the same data, while providing additional details on each specific hack.

FREE Webinar!

Description:

This webinar will summarize the lessons learned by the healthcare industry from WannaCry & perform a postmortem on WannaCry's impact.

Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf

June 09, 2017

You can see the full text of the most recent guidance here. The takeaway from HHS' guidance post WannaCry can be summarized as (1) Contingency Plans (see below); and (2) Network Scans.

My entity just experienced a cyber-attack! What do we do now?A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR)

Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? This guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. In the event of a cyber-attack or similar emergency an entity:

Must execute its response and mitigation procedures and contingency plans...

Should report the crime to other law enforcement agencies...

Should report all cyber threat indicators to federal and information-sharing and analysisorganizations (ISAOs)...

Must report the breach to OCR as soon as possible, but no later than 60 days after thediscovery of a breach affecting 500 or more individuals...

OCR considers all mitigation efforts taken by the entity during in any particular breach investigation.

Such efforts include voluntary sharing of breach-related information with law enforcement agenciesand other federal and analysis organizations as described above.

FREE Webinar!

Description:

This webinar will summarize the lessons learned by the healthcare industry from WannaCry & perform a postmortem on WannaCry's impact.

Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.

June 08, 2017

Your network is the heartbeat of your organization; without it no emails get sent, no applications are accessed, no third-party resources of any kind are available—in short, to a large extent, no meaningful work of any kind gets done that requires communication with colleagues, both inside and outside of the organization. So, it goes without saying that to maintain your network’s heartbeat you must monitor it for signs of well-being. Compliance with the HIPAA rules (Privacy, Security and Breach Notification—collectively “Rules” or “the Rules”) also requires that you monitor your network.

Monitoring your network requires, among other things, that you regularly “scan” it to determine whether it is functioning properly and to what degree (if any) it is being compromised by persons or entities ("Persons") inside, or outside of your network. Without periodic scans, there is no way to determine whether your network is being persistently accessed inappropriately or, worse yet, has already been penetrated by an adversary.

But for network scanning, it is highly improbable that organizations would have detected and mitigated the impact of the “WannaCry”[1] ransomware in a timely manner. The consensus today among cybersecurity experts is that your network’s perimeter can no longer be defended. You are therefore forced to assume that your network has, or will be, penetrated. No number of firewalls, proxy servers, and other perimeter defense mechanisms can prevent your adversaries from readily penetrating your outward facing defenses.

Of course, that does not mean that you do not continue to use these defenses, in fact you must. However, you must also assume that sophisticated adversaries will find a way in, and the critical question becomes “what happens then?” There are some experts who suggest that the best you can do is to apply your efforts toward significantly reducing the “dwell time”—that is, the amount of time that your adversary has already spent within your perimeter “poking around” for vulnerabilities to exploit.

Regardless of how you may choose to attack this challenge, regular periodic scans must be one of the tools in your toolset. Although the HIPAA Rules do not expressly state that network scans (“Scanning”) must be performed—it is inferred by HHS as a kind of “rule of reason;” because compliance with other parts of the Rules would be impossible without it. For example, HHS recently stated in guidance entitled: FACT SHEET: Ransomware and HIPAA[2] the following:

It is expected that covered entities and business associates will use this process of risk analysis and risk management not only to satisfy the specific standards and implementation specifications of the Security Rule, but also when implementing security measures to reduce the particular risks and vulnerabilities to ePHI throughout an organization’s entire enterprise, identified as a result of an accurate and thorough risk analysis, to a reasonable and appropriate level. For example, although there is a not a Security Rule standard or implementation specification that specifically and expressly requires entities to update the firmware of network devices, entities, as part of their risk analysis and risk management process, should, as appropriate, identify and address the risks to ePHI of using networks devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities. [Emphasis Added].

Discovering outdated firmware would be next to impossible without Scanning. Further, you are likely to be found in “willful neglect” of the Rules, where penalties are assessed at $50,000.00 per violation, if you are not Scanning on a timetable that is “reasonable and appropriate.” This is not your Daddy’s HIPAA anymore! The Persons that are attempting to harm your patient’s PHI and your reputation are growing by orders of magnitude. HHS’ warnings post WannaCry have be ratcheted up because the unequivocal message from WannaCry was clear—we know where you live and we’re coming for you!

Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.